As enterprises continue their digital transformation journey in this Post-COVID era, applications are the engine that drives their business growth. Whether it’s a digital-first enterprise or one that is accelerating its digital transformation initiatives, APIs are not only opening up systems so that applications can run faster, but also the de facto core of today’s modern application development styles – like microservices, Docker, and Kubernetes. The next time you are watching Netflix, or listening to Spotify on your smartphone, remember it’s a guarantee that there is an API behind your point-and-click request to get more information about the artist. Likewise, Google’s 2021 State of API Economy Research reported that 58% of global enterprise IT decision-makers said APIs are speeding new app development. Meanwhile, cyberattackers have already pivoted and focused their malicious activities on this promising environment.
Watching the API floodgates open, enterprises are instinctively searching for solutions and best practices to help guide their API Security strategy. Many are examining the API management solutions that have guided their API best practices along with the limited visibility of those APIs deployed. Others gained API visibility from the submitted swagger files that were exercised via the API DevOps best practices (details are available here). As API deployments continue to proliferate, this process creates many overhead challenges, from deployment delays (principally the counter-benefits of APIs) to the significant impact of errors from manual processes. Consequently, the best practices of deploying APIs with swaggers were being circumvented as developers focused more on items like functionality and agility. Nevertheless, our customer conversations continued to reinforce swagger’s importance in driving enterprise’s API adoption.
One of the the popular topics of API Security in our enterprise conversations was the need for comprehensive visibility, which many have stated is the instrumental first step to protecting your application, infrastructure, and customer data. Whether enterprises exercise swagger best practices or not, we understood the importance of identifying all active APIs within an enterprise’s traffic. Many security vendors talk about the importance of API visibility and commonly say, ‘How could you protect things if you can’t see them?’ More importantly, wouldn’t it be nice to have not only the visibility feature but also the automation to get comprehensive API activity insights in their traffic, whether they have swagger files or not.
For those APIs that have swagger files, you can manage the risks of threats/abuse:
- Leverage the swagger files to define API security policies and block abnormal behavior.
- For swagger files that are either incomplete, improperly defined, or dated, one can monitor those APIs and generate swagger templates to help guide discussions with the developers/development teams. These templates offer a bridge between developers and security so that these reported APIs follow the guidelines of the enterprise’s latest policies. Most importantly, these APIs are no longer threats or abuse from their original intent.
For those APIs that don’t have swagger files, you still can provide security:
- Data discovery offers an API Blueprint, a log of API endpoints (generated by time and traffic), that are active and exist beyond the policies of any approved swagger files.
- Today, these so-called rogue APIs (APIs without swaggers) are automatically blocked at first discovery. They will remain so or have the option to trigger alerts until the developers/development team reviews their blueprints and either update existing or create new swagger files.
Now, think about the added benefits of gaining API insights into those endpoints that are transferring personal data and PII (e.g. SSN, credit card information, etc.). These benefits are especially critical today as global privacy and compliance statutes continue to evolve and become more complex. To learn more about Imperva’s approach to gaining insights on your APIs from Cloud WAF, please reach out to your Imperva Account Representative.
*** This is a Security Bloggers Network syndicated blog from Blog authored by John Oh. Read the original post at: https://www.imperva.com/blog/gaining-insights-is-fundamental-for-api-security/